|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Menashe Eliezer (menashe_at_finjan.com)
Date: Wed Sep 04 2002 - 19:51:10 CDT
Marc,
Your issues have been escalated to me for resolution. I apologize for any
delay; it is always our intention to respond immediately to any customer or
product-related issue. Apologies aside, I would like to address the issues
you brought up with regard to the Finjan SurfinGate URL List feature.
SurfinGate’s help file makes the following statement regarding the intended
usage of the URL List: "The URL filtering feature is intended for use as a
white list solution, and allows the entry of active content from trusted
sites that may contain code that otherwise violates the organization's
security policy. It can also be used to block known hostile sites, but from
a security point of view, the URL filter has a limited assurance level for
actual code blocking. It is not recommended to trust this list as a strong
black list."
Finjan positions the URL List as a content management feature that gives
system administrators the ability to make security policy exceptions in
order to allow trusted content. However, the URL List was not designed to
be a strong black list, and that is why the help file currently does not
recommend it for this purpose. These are known issues. Our proactive
products are based on patented technologies, and the security doesn't
depend on managed lists.
Having said that, we WILL address the matter in an upcoming release as
content management issue. In fact, in April of this year, Finjan announced a
licensing agreement with SurfControl, the URL filtering company. In future
versions of SFG, the SurfControl URL categorization component will be
integrated with SFG for security purposes. This component will not allow
this type of exploit.
Thank you for your interest in Finjan Software and the SurfinGate family of
products. It is our mission to provide the most robust, proactive content
security solutions available in the market. I also thank you in advance for
your patience. For any future issues, please address them directly to
mcrc
finjan.com or supportfinjan.com as the infofinjan.com mailbox is more
of a general marketing communication mailbox.
Ken,
Thank you for your posting.
Regards,
Menashe Eliezer
Manager, Malicious Code Research Center
Finjan Software
http://www.finjan.com/mcrc
Prevention is the best cure!
-------Original Message----- From: Ken Fischer [mailto:kenf
Marc,
info
In any case, I made one 30 second call to the Finjan support line, and a *very* helpful individual directed me to contact their Malicious Code Research Center (mcrc
I am copying them on this reply, so that they have an opportunity to address your concerns ASAP.
<soapbox> I urge anyone that is willing to take the time and effort necessary to write/research vulnerability reports to also be willing to take a minimum amount of effort to notify the vendor. If you aren't, the damage is sometimes worth more than the good that is done. </soapbox>
Disclaimer: I am not associated in any way with Finjan. I am simply a security professional that wants to make sure that the information is in the hands of the correct people.
Best regards,
-- Ken Fischer, CCNA <kenf
On Wed, 4 Sep 2002, Marc Ruef wrote:
> Hi! > > I've found two possibilities to bypass the Finjan SurfinGate URL filter > - Tested with Finjan SurfinGate 6.0x on Windows NT 4.0 and 2000. > > 1. IP Tunnel > > Normally humans use domain- and hostnames instead of IP addresses. Most > users will add entries like "www.computec.ch" in the URL list of Finjan > SurfinGate to filter specific webservers. > > The main problem is, that the SurfinGate never does a lookup of the > contacted hostname. Now you can use IP addresses instead of hostnames to > reach the wanted ressource. A limitation of this bypassing technique is, > that it does not work with webservers, that use virual hosts. > > This problem is very heavy, if you use the SurfinGate as a plugin, where > the internal processes don't work with hostnames (I think that > Checkpoint Firewall-1 does it that way). Try to apply a rule to the > proxy-mechanism for using always hostnames instead of IP addresses. > > A possible workaround is to add additionally to the hostnames the used > IP addresses. Attention if the ressource uses virual hosting or have > multiple ip addresses. This solution slows down the whole SurfinGate, > because there is a new filtering line. > > 2. Dot/FQDN Tunnel > > In the Internet you have to use domain- or hostnames like > "www.computec.ch" to reach some webservers. Finjan SurfinGate does > identify the end of a domainname by a slash ("/"). > > If you add a simple dot at the end of the domainname (e.g. > "www.computec.ch."), the filtering mechanism could not catch the > request. The same problem is described for SuperScout in > http://www.securiteam.com/securityreviews/5SP010U0KQ.html . Additionally > it is possible to encode the dot like "%2E". > > A possible workaround is to add additionally to the normal hostname > (e.g. "www.computec.ch") the FQDN (fully qualified domain name) like > "www.computec.ch.". This slows down the whole SurfinGate also, because > there is a new filtering line. > > A tool for automated exploitation and a german analysis of the > vulnerability is available at > http://www.computec.ch/software/firewalling/url_filtering-tunnel/ > > I wrote one and a half week ago an email to info
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]